Monthly Archives: March 2012

The Federal Trade Commission (FTC), the arm of the government responsible for creating and enforcing national privacy policy, has published a report about how American businesses should protect the privacy of consumers and recommends the ways companies should give consumers greater control over the data that is collected about them. As part of the report, called “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers,” the FTC also calls for Congress to consider creating general privacy legislation, data security and breach notification legislation, and data broker legislation.

The report calls on American businesses to use best practices when it comes to privacy, specifically it calls for :

Privacy by Design – companies should build in consumers’ privacy protections at every stage in developing their products. These include reasonable security for consumer data, limited collection and retention of such data, and reasonable procedures to promote data accuracy;

Simplified Choice for Businesses and Consumers – companies should give consumers the option to decide what information is shared about them, and with whom. This should include a Do-Not-Track mechanism that would provide a simple, easy way for consumers to control the tracking of their online activities.

Greater Transparency – companies should disclose details about their collection and use of consumers’ information, and provide consumers access to the data collected about them.

In an attempt to not burden small businesses, the report concludes that these recommendations should not apply to companies that collect non-sensitive data from less than 5,000 consumers a year.

“If companies adopt our final recommendations for best practices – and many of them already have – they will be able to innovate and deliver creative new services that consumers can enjoy without sacrificing their privacy,” said Jon Leibowitz, Chairman of the FTC. “We are confident that consumers will have an easy to use and effective Do Not Track option by the end of the year because companies are moving forward expeditiously to make it happen and because lawmakers will want to enact legislation if they don’t.”

Data Brokers

The report takes a swipe at data brokers – who exist solely to buy, collate, and sell highly personal information about consumers, often without consumer consent or their knowledge about how this data is being used. The FTC reminds data brokers that existing legislation already gives consumers the right to access information held about them by data brokers. But it also recommends that data brokers make their operations more transparent and create a centralized website where consumers can get information about their practices and their options for controlling data use.

Concerns over data brokers rose last year after an investigation by The Associated Press which found that many such brokers frequently store incorrect or outdated information, including criminal records. The investigation found that some people were denied jobs because a data broker had incorrectly reported them as a convicted felon. Last year the data broker HireRight Solutions Inc. was forced to settle a class-action lawsuit for $28.4 million after widespread complaints about inaccurate records led to legal action against the company.

Do-Not-Track

The work done by the major browsers (like Firefox and Chrome) to develop do-not-track technology has been commended by the FTC. With DNT users have a choice about whether to be tracked by third parties as they move across the web. The World Wide Web Consortium, the group which defines the various technology standards for the Internet, are currently developing a universal web protocol for Do Not Track. “The Commission will work with these groups to complete implementation of an easy-to-use, persistent, and effective Do Not Track system,” the report says.

‘Everyone has a price’ is the old saying and it is certainly true today where privacy is concerned. In a world where personal data is traded like any other commodity, the European Network and Information Security Agency (ENISA) – a centre of network and information security expertise for the EU – has published a study about consumer behavior in relation to the disclosure of personal information during a purchase or transaction.

In a set of controlled experiments, Dr Nicola Jentzsch and his team discovered that people have a natural built-in mechanism to protect their privacy but only if it doesn’t cost them anything. Under the experiments the participants simulated buying tickets for a movie from one of two sellers. One of the sellers asked for more personal data (e.g. their cell phone number) than the other. If the price was the same at both sellers, the majority of purchases were made with the privacy-friendly service (about 83% of all tickets sold). But, if there was a price difference (where the vendor asking for more information was cheaper) most of the participants (more than two-thirds) happily revealed the information to get the tickets cheaper.

Another interesting aspect of the study is that of those who opted to go with the privacy-unfriendly service, some participants tried to cheat the system by supplying false information (like giving their name as Donald Duck) in an attempt to get the discount. To offset this tendency the researchers used a lie detector to ensure only truthful information was given! After buying the tickets the participants were asked if they had concerns about whether the ticket seller would protect their information. A majority of users expressed concerns with only about 0.7% of participants saying that they are ‘not interested at all’ if organizations that collect personal data also protect this information.

What is startling about this study is the price difference. Were the tickets, which asked for the mobile phone number, half price? At a 33% discount? No, the difference in the price was just $0.65. Just over half a dollar, that is what private information is worth!

The report make several recommendations, one of which is “Personal data protection and privacy is a human right. The European Commission, EU Member States and data protection authorities should enforce a clear and consistent legal data protection framework.” This should also be true in the USA.

It seems that asking for more personal information than is necessary is becoming a “normal” part of online life. According to the ENISA report “43% of Internet users say they have been asked for more data than necessary when trying to obtain access to or use an online service.” It is essential that online users avoid (as much as is possible) services that request unnecessary amounts of data. Once you have handed over private information there is no way to get it back. Worse still, it seems as if greedy workers are willing to break confidentiality rules (and privacy policies) to make some extra money on the side. An investigation by the UK’s Sunday Times has found “corrupt Indian call center workers” sold confidential personal data of more than 500,000 customers to cyber criminals and marketing firms.”

Use your common sense. Don’t reveal what isn’t necessary. Use privacy friendly services, even if they cost $0.50 more!

In the fight for online freedom and the right to privacy there are three main ways in which action can be taken. The first is for each individual to protect their online identity by using the right privacy software and applying common sense to their online activities. The second is to protest (like the Internet Blackout Day in January) and the third is to use the law. It is this third option which is being used this week by a group of 13 individuals in Texas, who have filed a class action, and by two congressmen who have sent Apple a letter asking Timothy Cook, Apple’s chief executive, to make representatives available to brief an Energy and Commerce subcommittee.

The class action is being brought against 18 tech companies including Facebook, Twitter, Foursquare, Yelp and the makers of the popular game Angry Birds for stealing contacts from Android and iOS powered smart phones without the owner’s permission or knowledge. The lawsuit is in response to a story which broke in February when a blogger noticed that the social networking service Path uploaded a phones entire address book to its servers. This resulted in Path issuing an apology, deleting its entire collection of user uploaded contact information from its servers and issuing a new version of its app. But it soon turned out that other social networking apps did exactly the same thing and hence the lawsuit.

The plaintiff’s complaint is that the contacts in a mobile phone, which includes physical and e-mail addresses, job titles and birthdays as well as phone numbers, are some of the most personal data that owners carry on their wireless mobile devices. And they claim that the defendants have made, distributed and sold apps that, once installed on a wireless mobile device, surreptitiously harvest, upload and illegally steal the owner’s address book data without the owner’s knowledge or consent.

The complaint then goes on to quote from the New York times: “The address book in smartphones — where some of the user’s most personal data is carried— is free for app developers to take at will, often without the phone owner’s knowledge. . . Companies that make many of the most popular smartphone apps for Apple and Android devices — Twitter, Foursquare and Instagram among them — routinely gather the information in personal address books on the phone and in some cases store it on their own computers… While Apple says it prohibits and rejects any app that collects or transmits users’ personal data without their permission, that has not stopped some of the most popular applications for the iPhone, iPad and iPod — like Yelp, Gowalla, Hipsterand Foodspotting — from taking users’ contacts and transmitting it without their knowledge.”

“We’re making some fairly serious allegations against the big boys,” the plaintiffs’ attorney, Jeff Edwards, told the Austin American-Statesman. “We’re saying, ‘Hey, you took something that didn’t belong to you, and you’re making a profit off it.’”

Congress it seems is also interested in how apps can get hold of a user’s data. This week Representative Henry A. Waxman, a California Democrat, and Representative G.K. Butterfield, Democrat of North Carolina, sent a letter to Apple’s CEO Timothy Cook asking for further clarification on how applications for the iPhone, iPad and iPod Touch are allowed to access photos without a user’s knowledge. In fact this is the second letter the pair have sent to Apple. Having received Apple’s reply to their first letter, Waxman and Butterfield wrote back to Apple saying that Apple’s reply did “not answer a number of the questions raised about the company’s efforts to protect the privacy and security of its mobile device users.”

Rather than asking for another reply from Apple, this time the two ranking members of the Subcommittee on Commerce, Manufacturing, and Trade are asking Apple to make available representatives to brief staff on the committee.

For many, Twitter is a casual, harmless way to publish their musings, moments and mutterings to friends and loved ones. A quick tweet that your cat just had kittens or that your baby just said “Mama” is received with oohs and aahs from grandma. But, Twitter is also a serious Internet phenomena with celebrities and politicians garnering thousands even millions of followers who hang on every word they write. Lady Gaga has now over twenty million (that’s 20,000,000) followers, Barack Obama over twelve million, CNN’s breaking news service over six million and so on. With thousands of tweets being published every minute this huge amount of data is rich for the pickings, especially for marketers.

Until recently only the last 30 days of tweets were available for companies to search and normal users could only search messages from the past seven days. But now Twitter has partnered with a company called Datasift to create a huge, searchable Twitter archive. The new archive will be used by market research companies to search and analyse Twitter updates since January 2010.

The new service, which absorbs and processes 250 million tweets every day, has already attracted lots of customers for Datasift who say that it has almost 1,000 companies who are waiting to access the service.

Datasift are very proud of their new service and are talking about their achievements to overcome the massive technological challenge to processes so much data. But privacy advocates are more concerned with the implications of what Datasift are doing. “People have historically used Twitter to communicate with friends and networks in the belief that their tweets will quickly disappear into the ether,” argued Gus Hosein, executive director of Privacy International in an interview with the BBC. “The fact that two years’ worth of tweets can now be mined for information and the resulting ‘insights’ sold to businesses is a radical shift in the wrong direction.“ The Electronic Frontier Foundation, an online rights and privacy group, have described the service as “creepy”.

Creepy is the right word… Imagine a friend who records all your conversations and, after two years, sends you an MP3 of a conversation you have while walking in the park. Creepy indeed! Tweets are no longer innocent status messages that soon fade into the ether, soon forgotten and hard to archive. No. Now Tweets are stored, analysed and processed to build up marketing information. Worse still, if you have set your account to add location data to your tweets, this information is also processed and analysed. Fortunately it is fairly easy to switch off the storing of location data with your tweets and Twitter also has the ability to delete location information from old tweets. However Twitters location data support page carries the ominous warning: “It is important to note that deleting location data in your settings does not guarantee the information will be removed from all copies of the data on third-party applications or in external search results.”

One little glimmer of good news is that “private” Twitter accounts (which are not public and only allows followers to see tweets” or tweets that have been deleted are not included in this searchable archive. As with all social networking sites, whether it is Twitter, Facebook or LinkedIn – if you aren’t happy with what you write being completely public then don’t post it.

It has been an interesting week with regards to privacy with Google switching to its new privacy policy and an EU Justice Commissioner announcing that Google is violating European law by doing so. Under the new policy Google will be collecting, collating and analyzing the online activities of every Google user across all of its services including search, Gmail, Google+, your phone (via Android) and YouTube. This data will be used to construct a profile of each user which Google will then use to target users with adverts and offers. Although this doesn’t sound that ominous at first – as really if I need to see ads then I would rather they would be about things that might interest me – the full scale of Google’s privacy invasion hasn’t yet been realized. Will these profiles record our health situation, our political opinions, our religious affiliations and our financial concerns?

While the “big boys” battle over policy, law and self regulation, there are some practical things that each and every Internet user can do to limit how much information they share with companies like Google.

The first place to start is with your IP address. This is an address assigned to your computer while it is connected to the Internet. It is similar to a phone number or postal code, but for computers. Each and every time you access the Internet this IP address is recorded. Worse than that, your IP address reveals where you are in the world and who is your ISP. It is time to become anonymous, to slip into the shadows. The easiest way to do this is to use the Hide My IP software. With it you can hide your online identity, surf anonymously and encrypt your Internet connection. If you need anonymity for more than just web browsing you should use a fully fledged Virtual Private Network (VPN) like FoxyVPN. Once using a VPN not even your ISP can tell what you are doing on the net.

Once you have the right software on your computer, it is worth visiting Google’s Privacy Tools page. Here you find out what Google knows about you and you can change your privacy settings for services such as Blogger, Calendar, Docs, Gmail, and Picasa. The Google Dashboard (part of the privacy tools) also has a “Me on the Web” section that can help you understand and manage what people see when they search for you on Google.

It is also worth using the “private browsing” feature of your web browser. Known as InPrivate Browsing in Microsoft’s Internet Explorer, Incognito in Google’s Chrome, and Private Browsing in Firefox and Apple’s Safari, using it will increase security and help protect your privacy online. Using it for sites like Gmail, Facebook etc will make it harder for other sites to track you.

Of course the best way to limit what third parties know about you is to avoid sharing the information in the first place. At a time when incidents of identity theft is rising, avoid giving too much away. On social networking sites it is best to not to provide unnecessary detail, and use the privacy controls to limit others access to your data. Never post pictures which you might regret others seeing (even in five years from now) and never divulge your holiday plans or other private information online. The hard reality is that avoiding social networking sites all together will increase your privacy.